Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Description

Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeting industries like hospitality, education, and finance. The malware can exfiltrate a wide range of data, including browser credentials, credit card info, and crypto wallet data. It uses anti-analysis techniques and can exfiltrate data through multiple channels like SMTP, Discord, and Telegram. The rise in Stealerium usage reflects the growing trend of threat actors pivoting to information stealers as identity theft becomes a priority.